On 21 June 2019, the European Banking Authority (EBA) published an opinion on the elements of strong customer authentication (SCA) under the second Payment Services Directive 2015/2366 (PSD2).
What is SCA?
The purpose of the new SCA rules is to make online payment more secure and to reduce the risk of fraud. Under the new rules, a payment service provider must apply SCA where a payment service user accesses its payment account online; initiates an electronic payment transaction; or carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
SCA is based on the use of two or more of the following elements:
- knowledge (something only the user knows);
- possession (something only the user possesses); and
- inherence (something the user is).
These elements must be independent of each other: breach of one must not compromise the reliability of the others.
What does the EBA opinion say?
The EBA opinion provides a non-exhaustive list of the authentication approaches currently observed in the market and whether these are considered compliant with the requirements of SCA. The EBA also provides some commentary on each of the three SCA elements listed above, and on the combinations of these elements.
In addition, the EBA opinion considers the possibility of making more time available for regulated entities (and therefore the rest of the industry) to prepare for the application date of SCA, and ultimately confirms that SCA will apply from 14 September 2019. The EBA does, however, acknowledge concerns raised regarding the preparedness of e-commerce businesses for SCA, and recognises that the entire payments chain, including card schemes and merchants, must take steps to apply or request SCA in order to avoid situations where payment transactions are interrupted, blocked or rejected.
As a result, the EBA’s opinion allows for the possibility that some National Competent Authorities (NCA), such as the FCA, will choose to work with some authorised entities “and relevant stakeholders, including consumers and merchants” to help them prepare, and may “provide limited additional time to allow issuers to migrate to authentication approaches that are compliant with SCA… and acquirers to migrate their merchants to solutions that support SCA” – on an “exceptional basis” (only). These delays will only be available where payment service providers have agreed a migration plan with the NCA.
What does the FCA say?
The FCA has released a statement in response to the EBA opinion confirming that it will quickly agree a plan with all stakeholders across the payments industry that encompasses a blueprint for compliance and readiness, a timetable for achieving this, and key milestones and targets to deliver SCA.
The FCA have confirmed that they will not take enforcement action against firms if they do not meet the relevant requirements for SCA from 14 September 2019 in areas covered by the agreed migration plan, where there is evidence that they have taken the necessary steps to comply with the plan.
What does this mean for our clients?
We are helping our clients to prepare for compliance with SCA. We act for regulated payment service providers directly; and we have also received enquiries from merchants, technology providers, and other unregulated stakeholders in the payments ecosystem, all working to implement the SCA requirements.
Our regulated clients need to consider how they will implement the substantive requirements of SCA in light of the new guidance in the EBA opinion. They also need to consider whether and how to liaise with the FCA on the deadline for implementation and the migration plan. Procedurally, our regulated clients need to communicate with merchants, technology providers, and other payments entities to ensure that their substantive solution is rolled out effectively throughout the payment chain.
Our unregulated clients need to maintain an open dialogue with their regulated counterparts, in order that they are aware of any changes that they might be asked to make to their payments systems or infrastructure. Some of our unregulated clients have asked us to consider whether proposals put forward by their regulated counterparts are necessary and reasonable in light of the SCA requirements.
How can I get further information?
Fox Williams has extensive experience advising regulated and unregulated entities on payments. We would be happy to assist you further. In the first instance, please get in touch with Mardi MacGregor or Chris Finney from the Financial Services Regulatory team.